Skillset

It has happened again, for the second time in a few months, the hackers at Google Project Zero have publicly disclosed a vulnerability affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, that had yet to be patched by the IT giant.

The good news for attackers and hackers is that the Google experts also published a proof-of-concept exploit code.

Project Zero researchers publicly disclosed the flaw in Windows OS because Microsoft failed to patch it within the 90-day window given by the Google.

The flaw affects the Windows’ Graphics Device Interface (GDI) library (gdi32.dll), the Google’s Project Zero member Mateusz Jurczyk reported it to the Microsoft Security Team on June 9, 2016.

The Windows GDI library enables applications to use graphics and formatted text on both the video display and a local printer.

The vulnerability, tracked as CVE-2017-0038, could be exploited by an attacker to read the content of the user’s memory using specifically crafted Enhanced MetaFile (EMF) files. The EMF file can be hidden in other documents making the bug very insidious.

“I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file,” Jurczyk explained.

The impact of the vulnerability is serious; it affects any application that uses this GDI library. An attacker can exploit the vulnerability to steal sensitive data from the memory of the vulnerable system.

According to the vulnerability report filed by the engineers at the Google’s Project Zero team, the flaw is part of a set of issues that was discovered in March 2016 and fixed in June 2016 with the release of the Microsoft security bulletin MS16-074.

Unfortunately, Microsoft failed to address the flaw in the GDI library with the patch released on 15th June 2016. The security updates did not solve all the issues in the Windows library, for this reason, the Project Zero experts report it to Microsoft with a proof-of-concept on 16th of November.

“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” states Jurczyk in the second report.

Three months have passed, but Microsoft failed to solve the vulnerability, so Google security experts released the details of the flaw to the public.

Mateusz Jurczyk, the Google hacker who discovered the bug highlighted that the MS16-074 patches were not sufficient to address the issue, this means that threat actors in the wild now can exploit the flaw in targeted attacks.

The good news, in this case, is that an attacker needs physical access to the target machine to exploit the vulnerability. The Google Project Zero team decided to disclose the vulnerability due to its conviction that Microsoft will not release security updates this month.

Recently Microsoft delayed this month’s Patch Tuesday by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates” on 14th February.

Experts believe that the flaw in the GDI library will remain unsolved for almost a month, this means that attackers in the wild may exploit it in the next weeks.

Windows systems will remain vulnerable to cyber attacks until March 15th, when Microsoft plans to release both the February and March security updates.

Researchers at Google confirmed that there is no mitigation measure to protect vulnerable systems from attackers that exploit this bug.

A previous case

This is the second time Google decided to disclose a vulnerability before Microsoft had fixed the issue.

In November 2016, the experts at Google disclosed details about a zero-day exploited by the notorious cyber-espionage group known as APT28 a few days before Microsoft’s November Patch Tuesday.

The zero-day could be exploited by attackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.

Google has chosen to public disclose the flaw just ten days after privately reporting it to Microsoft, giving the company a very little time to issue security updates.

Ethical Hacking Training – Resources (InfoSec)

According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.

“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly-unknown vulnerabilities — to Adobe and Microsoft. Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe’s updater and Chrome auto-update.” reads a blog post published by Google.

According to Google’s Neel Mehta and Billy Leonard, the Windows zero-day “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

Microsoft criticized the Google’s decision because the disclosure of a zero-day exploit potentially puts its customers at risk of cyber attacks.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,”a Microsoft spokesperson said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

To disclose or to not disclose, that is the question

Many experts criticized the decision of Google of disclosing the vulnerabilities due to the failure in fixing them, especially when there is no possible mitigation.

Customers remain exposed to the attacks of threat actors that could leverage the exploit codes shared by the Project Zero team.

In the circumstances like this, cooperation between the two IT giants should represent the best option for the end-users, but evidently, this is a utopia.

Pierluigi Paganini is CTO at Cybaze Enterprise SpA
Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

five + = eleven

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam